Analysis
-
max time kernel
114s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 03:00
Behavioral task
behavioral1
Sample
85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
General
-
Target
85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe
-
Size
337KB
-
MD5
d20dc6eecd5430ca33d18a749ae3ef80
-
SHA1
d8e5f197ac940365da7a71abd1565dafbbba9a89
-
SHA256
85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4a
-
SHA512
1866bee1a3f3e39e8eccc04bc78875d7c808f9e89c2ce3499eebc8ed64f9d207da78ec7055f8d1ea58daaceab840851b17f87e4becbc005f4dd976943ba2cd5a
-
SSDEEP
6144:uhPZhfPbMmYaHSoYrWxCW1+fIyG5jZkCwi8r:uhPZhfPbMmYaHSoYrWxeiZkCwiY
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beippj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpodmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjobedk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnmjkahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fggkifmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phiekaql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmjmnpmb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbfgflc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehekq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdajabdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnehgmob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejegaao.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkpoelb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmcfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhpaki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aepmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oooodcci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkcjjhgp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehofhdli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnkppbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdnka32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpcnhbjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjpoio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fppchile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihfpabbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjgidfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgaglpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eciilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhdkajh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpmmhpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgeadjai.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkinob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndaaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdgmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idkkki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbalhho.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmginjki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdibplaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgliapic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpfcl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obfpejcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeimqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkggfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbnhkqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oknnanhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mppdbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imabnofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcgemhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcnmhpoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flodilma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehcfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnklg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphdma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgliapic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdahek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjielh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpnfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbmbiqqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiinoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfcfnm32.exe -
Executes dropped EXE 64 IoCs
pid Process 1452 Mapgfk32.exe 32 Mdodbf32.exe 4612 Mfmpob32.exe 1324 Mmiealgc.exe 3716 Nfaijand.exe 3024 Nmlafk32.exe 3336 Nkpbpp32.exe 1464 Nffceq32.exe 3352 Npognfpo.exe 1904 Nmbhgjoi.exe 1740 Nkghqo32.exe 492 Ohkijc32.exe 3232 Opfnne32.exe 4236 Oinbgk32.exe 2080 Oknnanhj.exe 3564 Opjgidfa.exe 4144 Onngci32.exe 1864 Oggllnkl.exe 2360 Oiehhjjp.exe 3720 Opopdd32.exe 2376 Phiekaql.exe 3756 Pkgaglpp.exe 5008 Paaidf32.exe 4728 Pdbbfadn.exe 1572 Pddokabk.exe 1956 Qjcdih32.exe 348 Qggebl32.exe 4528 Ahgamo32.exe 1140 Ahinbo32.exe 4720 Akjgdjoj.exe 4016 Ajodef32.exe 828 Akopoi32.exe 4068 Bgeadjai.exe 1280 Bnoiqd32.exe 2244 Bqnemp32.exe 4324 Bkcjjhgp.exe 3680 Bdlncn32.exe 2800 Bqbohocd.exe 868 Bjkcqdje.exe 3600 Bjmpfdhb.exe 5088 Cjomldfp.exe 3688 Ciqmjkno.exe 1384 Cjaiac32.exe 920 Calbnnkj.exe 2120 Cjdfgc32.exe 3456 Ckcbaf32.exe 860 Capkim32.exe 4860 Cgjcfgoa.exe 2160 Dbphcpog.exe 2660 Dlhlleeh.exe 4064 Dbbdip32.exe 952 Dgomaf32.exe 2296 Dnienqbi.exe 3616 Decmjjie.exe 1068 Dnkbcp32.exe 4784 Diafqi32.exe 3780 Dnnoip32.exe 4588 Dbijinfl.exe 1172 Ejdonq32.exe 3028 Eangjkkd.exe 220 Ejglcq32.exe 4168 Eelpqi32.exe 3744 Elfhmc32.exe 1980 Eacaej32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kgbljkca.exe Kphdma32.exe File created C:\Windows\SysWOW64\Cebaafpc.dll Hfonfp32.exe File opened for modification C:\Windows\SysWOW64\Faqflb32.exe Fnbjpf32.exe File created C:\Windows\SysWOW64\Ncdckahg.dll Nldjnk32.exe File opened for modification C:\Windows\SysWOW64\Gaibhj32.exe Gnkflo32.exe File created C:\Windows\SysWOW64\Jdkkcfbf.dll Iffcgoka.exe File created C:\Windows\SysWOW64\Jacnegep.exe Iodaikfl.exe File opened for modification C:\Windows\SysWOW64\Jbghpc32.exe Iohlcg32.exe File created C:\Windows\SysWOW64\Kjeonlkj.dll Beippj32.exe File created C:\Windows\SysWOW64\Ijpcbn32.exe Idfkednq.exe File created C:\Windows\SysWOW64\Kmobii32.exe Kokbpe32.exe File opened for modification C:\Windows\SysWOW64\Pfenga32.exe Ponfed32.exe File created C:\Windows\SysWOW64\Jkcfch32.exe Jomeoggk.exe File created C:\Windows\SysWOW64\Eocpmlgp.dll Gjhdkajh.exe File created C:\Windows\SysWOW64\Opkflmkn.dll Ghohdk32.exe File opened for modification C:\Windows\SysWOW64\Bqahmhpi.exe Bnclamqe.exe File created C:\Windows\SysWOW64\Dgplai32.exe Dmjgdq32.exe File created C:\Windows\SysWOW64\Bgeadjai.exe Akopoi32.exe File opened for modification C:\Windows\SysWOW64\Olidijjf.exe Oijgmokc.exe File created C:\Windows\SysWOW64\Mjhlnn32.dll Enlqdc32.exe File created C:\Windows\SysWOW64\Naoplkpo.dll Nnmfdpni.exe File opened for modification C:\Windows\SysWOW64\Bkpfjb32.exe Bpkbmi32.exe File created C:\Windows\SysWOW64\Clmbea32.dll Jomeoggk.exe File created C:\Windows\SysWOW64\Gkkimb32.dll Faqflb32.exe File opened for modification C:\Windows\SysWOW64\Khpcid32.exe Kohnpoib.exe File opened for modification C:\Windows\SysWOW64\Mgjkag32.exe Mbmbiqqp.exe File created C:\Windows\SysWOW64\Cllkcbnl.exe Cohkinob.exe File created C:\Windows\SysWOW64\Cnjbbl32.exe Cklffq32.exe File created C:\Windows\SysWOW64\Ijblmdkg.dll Kklkej32.exe File opened for modification C:\Windows\SysWOW64\Ehofhdli.exe Ebbmpmnb.exe File opened for modification C:\Windows\SysWOW64\Iooimi32.exe Iibaeb32.exe File created C:\Windows\SysWOW64\Fhofop32.dll Jdajabdc.exe File opened for modification C:\Windows\SysWOW64\Nkjqme32.exe Nildajdg.exe File created C:\Windows\SysWOW64\Cjdfgc32.exe Calbnnkj.exe File opened for modification C:\Windows\SysWOW64\Hpeejfjm.exe Hmginjki.exe File created C:\Windows\SysWOW64\Odighm32.dll Ihfpabbd.exe File created C:\Windows\SysWOW64\Eqlplkof.dll Hiinoc32.exe File opened for modification C:\Windows\SysWOW64\Bjielh32.exe Bgkipl32.exe File created C:\Windows\SysWOW64\Bnoiqd32.exe Bgeadjai.exe File opened for modification C:\Windows\SysWOW64\Dbijinfl.exe Dnnoip32.exe File opened for modification C:\Windows\SysWOW64\Cqfahh32.exe Cnhell32.exe File opened for modification C:\Windows\SysWOW64\Jahgpf32.exe Jgbccm32.exe File opened for modification C:\Windows\SysWOW64\Jhdlbp32.exe Jolhjj32.exe File created C:\Windows\SysWOW64\Elabfeaa.dll Ldblon32.exe File created C:\Windows\SysWOW64\Glompi32.exe Geeecogb.exe File created C:\Windows\SysWOW64\Jdiglgbg.exe Jnoopm32.exe File created C:\Windows\SysWOW64\Nnfpcada.exe Nkhdgfen.exe File created C:\Windows\SysWOW64\Mooqfmpj.dll Cjdfgc32.exe File created C:\Windows\SysWOW64\Ppoijn32.exe Pidamcgd.exe File created C:\Windows\SysWOW64\Mmfaafej.exe Mcnmhpoj.exe File created C:\Windows\SysWOW64\Pllppnnm.exe Pkkdhe32.exe File created C:\Windows\SysWOW64\Jblloe32.dll Bgimjmfl.exe File created C:\Windows\SysWOW64\Oiehhjjp.exe Oggllnkl.exe File opened for modification C:\Windows\SysWOW64\Kjipmoai.exe Jmepcj32.exe File opened for modification C:\Windows\SysWOW64\Bqdechnf.exe Bnehgmob.exe File created C:\Windows\SysWOW64\Pjjlchnk.dll Bkbcpb32.exe File created C:\Windows\SysWOW64\Cqinng32.exe Cnjbbl32.exe File created C:\Windows\SysWOW64\Hhhkjj32.exe Hejono32.exe File created C:\Windows\SysWOW64\Nhfjgq32.dll Ljjicl32.exe File created C:\Windows\SysWOW64\Ppafpm32.exe Pkdngf32.exe File created C:\Windows\SysWOW64\Pilgnb32.exe Pcaoahio.exe File created C:\Windows\SysWOW64\Fjfgealk.exe Fggkifmg.exe File created C:\Windows\SysWOW64\Bgbmqpej.dll Nlphmafm.exe File created C:\Windows\SysWOW64\Jiljgjpp.dll Oljkcpnb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12912 3956 WerFault.exe 663 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbbfadn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmecba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoiqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejglcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklffq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfanjqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeimqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfgcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcnka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffceq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmpfdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpaacblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkdkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljglnmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlqig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obfpejcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnclamqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkinob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebbmpmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaogfai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllppnnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkeloa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfonfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijpcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odnfonag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehcfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmngfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajobbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decmjjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icakofel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqiiamjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblfee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekpljgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhdkajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjgidfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiobbgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljkcpnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdiglgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbhbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbhgjoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqbohocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbphcpog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Galfhpmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llqhdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlpcpffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihlgan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbaoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildpbfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egnhcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaibhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhojqcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifipmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaiac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mboqnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbpcgbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcaab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkifmg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipcakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feofmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okodlgbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgicdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmnohha.dll" Febogbhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hceook32.dll" Dgomaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihjjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iadpjifl.dll" Llmbqdfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aocafeff.dll" Nmbhgjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abflab32.dll" Cgjcfgoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icakofel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpjfng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihjhq32.dll" Ejnbdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocchhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dinnadbj.dll" Pllppnnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnjbbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbchp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakdifap.dll" Foenplji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfjgq32.dll" Ljjicl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogbfgli.dll" Ojhnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgebfhcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmcc32.dll" Fnbjpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elhnhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejnbdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbghpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nboiekjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ildpbfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofcaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihjjln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlhomk32.dll" Kmaooihb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojfbof32.dll" Ljglnmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgbljkca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oknnanhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foqdem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhbflbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikqcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgifhep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmcch32.dll" Nkpbpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckcbaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghbke32.dll" Knhbflbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbbfadn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmceobnb.dll" Iooimi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfgealk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmpgabd.dll" Hhojqcil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahinbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cddjofbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbiiah32.dll" Hkjjfkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkggjg32.dll" Cqfahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfkednq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjpoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldqfddml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnlqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnoiqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbnhkqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkffm32.dll" Jpoagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpkbmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flgadake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhalmkbm.dll" Kfbmgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galfhpmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkfjgmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmlmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehndh32.dll" Jookjpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idpdfija.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 1452 5076 85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe 91 PID 5076 wrote to memory of 1452 5076 85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe 91 PID 5076 wrote to memory of 1452 5076 85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe 91 PID 1452 wrote to memory of 32 1452 Mapgfk32.exe 92 PID 1452 wrote to memory of 32 1452 Mapgfk32.exe 92 PID 1452 wrote to memory of 32 1452 Mapgfk32.exe 92 PID 32 wrote to memory of 4612 32 Mdodbf32.exe 93 PID 32 wrote to memory of 4612 32 Mdodbf32.exe 93 PID 32 wrote to memory of 4612 32 Mdodbf32.exe 93 PID 4612 wrote to memory of 1324 4612 Mfmpob32.exe 94 PID 4612 wrote to memory of 1324 4612 Mfmpob32.exe 94 PID 4612 wrote to memory of 1324 4612 Mfmpob32.exe 94 PID 1324 wrote to memory of 3716 1324 Mmiealgc.exe 95 PID 1324 wrote to memory of 3716 1324 Mmiealgc.exe 95 PID 1324 wrote to memory of 3716 1324 Mmiealgc.exe 95 PID 3716 wrote to memory of 3024 3716 Nfaijand.exe 96 PID 3716 wrote to memory of 3024 3716 Nfaijand.exe 96 PID 3716 wrote to memory of 3024 3716 Nfaijand.exe 96 PID 3024 wrote to memory of 3336 3024 Nmlafk32.exe 97 PID 3024 wrote to memory of 3336 3024 Nmlafk32.exe 97 PID 3024 wrote to memory of 3336 3024 Nmlafk32.exe 97 PID 3336 wrote to memory of 1464 3336 Nkpbpp32.exe 98 PID 3336 wrote to memory of 1464 3336 Nkpbpp32.exe 98 PID 3336 wrote to memory of 1464 3336 Nkpbpp32.exe 98 PID 1464 wrote to memory of 3352 1464 Nffceq32.exe 99 PID 1464 wrote to memory of 3352 1464 Nffceq32.exe 99 PID 1464 wrote to memory of 3352 1464 Nffceq32.exe 99 PID 3352 wrote to memory of 1904 3352 Npognfpo.exe 100 PID 3352 wrote to memory of 1904 3352 Npognfpo.exe 100 PID 3352 wrote to memory of 1904 3352 Npognfpo.exe 100 PID 1904 wrote to memory of 1740 1904 Nmbhgjoi.exe 101 PID 1904 wrote to memory of 1740 1904 Nmbhgjoi.exe 101 PID 1904 wrote to memory of 1740 1904 Nmbhgjoi.exe 101 PID 1740 wrote to memory of 492 1740 Nkghqo32.exe 102 PID 1740 wrote to memory of 492 1740 Nkghqo32.exe 102 PID 1740 wrote to memory of 492 1740 Nkghqo32.exe 102 PID 492 wrote to memory of 3232 492 Ohkijc32.exe 103 PID 492 wrote to memory of 3232 492 Ohkijc32.exe 103 PID 492 wrote to memory of 3232 492 Ohkijc32.exe 103 PID 3232 wrote to memory of 4236 3232 Opfnne32.exe 104 PID 3232 wrote to memory of 4236 3232 Opfnne32.exe 104 PID 3232 wrote to memory of 4236 3232 Opfnne32.exe 104 PID 4236 wrote to memory of 2080 4236 Oinbgk32.exe 105 PID 4236 wrote to memory of 2080 4236 Oinbgk32.exe 105 PID 4236 wrote to memory of 2080 4236 Oinbgk32.exe 105 PID 2080 wrote to memory of 3564 2080 Oknnanhj.exe 106 PID 2080 wrote to memory of 3564 2080 Oknnanhj.exe 106 PID 2080 wrote to memory of 3564 2080 Oknnanhj.exe 106 PID 3564 wrote to memory of 4144 3564 Opjgidfa.exe 107 PID 3564 wrote to memory of 4144 3564 Opjgidfa.exe 107 PID 3564 wrote to memory of 4144 3564 Opjgidfa.exe 107 PID 4144 wrote to memory of 1864 4144 Onngci32.exe 108 PID 4144 wrote to memory of 1864 4144 Onngci32.exe 108 PID 4144 wrote to memory of 1864 4144 Onngci32.exe 108 PID 1864 wrote to memory of 2360 1864 Oggllnkl.exe 109 PID 1864 wrote to memory of 2360 1864 Oggllnkl.exe 109 PID 1864 wrote to memory of 2360 1864 Oggllnkl.exe 109 PID 2360 wrote to memory of 3720 2360 Oiehhjjp.exe 110 PID 2360 wrote to memory of 3720 2360 Oiehhjjp.exe 110 PID 2360 wrote to memory of 3720 2360 Oiehhjjp.exe 110 PID 3720 wrote to memory of 2376 3720 Opopdd32.exe 111 PID 3720 wrote to memory of 2376 3720 Opopdd32.exe 111 PID 3720 wrote to memory of 2376 3720 Opopdd32.exe 111 PID 2376 wrote to memory of 3756 2376 Phiekaql.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe"C:\Users\Admin\AppData\Local\Temp\85ab621f6f3ba6d4c2ef7ae425a5f37980f3d91313853a1cb4116d05b0b08f4aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Mapgfk32.exeC:\Windows\system32\Mapgfk32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Mdodbf32.exeC:\Windows\system32\Mdodbf32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\Mfmpob32.exeC:\Windows\system32\Mfmpob32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\Mmiealgc.exeC:\Windows\system32\Mmiealgc.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Nfaijand.exeC:\Windows\system32\Nfaijand.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Nmlafk32.exeC:\Windows\system32\Nmlafk32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Nkpbpp32.exeC:\Windows\system32\Nkpbpp32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\Nffceq32.exeC:\Windows\system32\Nffceq32.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Npognfpo.exeC:\Windows\system32\Npognfpo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\Nmbhgjoi.exeC:\Windows\system32\Nmbhgjoi.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Nkghqo32.exeC:\Windows\system32\Nkghqo32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Ohkijc32.exeC:\Windows\system32\Ohkijc32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Opfnne32.exeC:\Windows\system32\Opfnne32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Oinbgk32.exeC:\Windows\system32\Oinbgk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Oknnanhj.exeC:\Windows\system32\Oknnanhj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Opjgidfa.exeC:\Windows\system32\Opjgidfa.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Onngci32.exeC:\Windows\system32\Onngci32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Oggllnkl.exeC:\Windows\system32\Oggllnkl.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Oiehhjjp.exeC:\Windows\system32\Oiehhjjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Opopdd32.exeC:\Windows\system32\Opopdd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
C:\Windows\SysWOW64\Phiekaql.exeC:\Windows\system32\Phiekaql.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Pkgaglpp.exeC:\Windows\system32\Pkgaglpp.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Paaidf32.exeC:\Windows\system32\Paaidf32.exe24⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\Pdbbfadn.exeC:\Windows\system32\Pdbbfadn.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4728 -
C:\Windows\SysWOW64\Pddokabk.exeC:\Windows\system32\Pddokabk.exe26⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Qjcdih32.exeC:\Windows\system32\Qjcdih32.exe27⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Qggebl32.exeC:\Windows\system32\Qggebl32.exe28⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Ahgamo32.exeC:\Windows\system32\Ahgamo32.exe29⤵
- Executes dropped EXE
PID:4528 -
C:\Windows\SysWOW64\Ahinbo32.exeC:\Windows\system32\Ahinbo32.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Akjgdjoj.exeC:\Windows\system32\Akjgdjoj.exe31⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\Ajodef32.exeC:\Windows\system32\Ajodef32.exe32⤵
- Executes dropped EXE
PID:4016 -
C:\Windows\SysWOW64\Akopoi32.exeC:\Windows\system32\Akopoi32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Bgeadjai.exeC:\Windows\system32\Bgeadjai.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4068 -
C:\Windows\SysWOW64\Bnoiqd32.exeC:\Windows\system32\Bnoiqd32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Bqnemp32.exeC:\Windows\system32\Bqnemp32.exe36⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Bkcjjhgp.exeC:\Windows\system32\Bkcjjhgp.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Bdlncn32.exeC:\Windows\system32\Bdlncn32.exe38⤵
- Executes dropped EXE
PID:3680 -
C:\Windows\SysWOW64\Bqbohocd.exeC:\Windows\system32\Bqbohocd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Bjkcqdje.exeC:\Windows\system32\Bjkcqdje.exe40⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Bjmpfdhb.exeC:\Windows\system32\Bjmpfdhb.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Windows\SysWOW64\Cjomldfp.exeC:\Windows\system32\Cjomldfp.exe42⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Ciqmjkno.exeC:\Windows\system32\Ciqmjkno.exe43⤵
- Executes dropped EXE
PID:3688 -
C:\Windows\SysWOW64\Cjaiac32.exeC:\Windows\system32\Cjaiac32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\Calbnnkj.exeC:\Windows\system32\Calbnnkj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Cjdfgc32.exeC:\Windows\system32\Cjdfgc32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Ckcbaf32.exeC:\Windows\system32\Ckcbaf32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3456 -
C:\Windows\SysWOW64\Capkim32.exeC:\Windows\system32\Capkim32.exe48⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Cgjcfgoa.exeC:\Windows\system32\Cgjcfgoa.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:4860 -
C:\Windows\SysWOW64\Dbphcpog.exeC:\Windows\system32\Dbphcpog.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Dlhlleeh.exeC:\Windows\system32\Dlhlleeh.exe51⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Dbbdip32.exeC:\Windows\system32\Dbbdip32.exe52⤵
- Executes dropped EXE
PID:4064 -
C:\Windows\SysWOW64\Dgomaf32.exeC:\Windows\system32\Dgomaf32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Dnienqbi.exeC:\Windows\system32\Dnienqbi.exe54⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Decmjjie.exeC:\Windows\system32\Decmjjie.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3616 -
C:\Windows\SysWOW64\Dnkbcp32.exeC:\Windows\system32\Dnkbcp32.exe56⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Diafqi32.exeC:\Windows\system32\Diafqi32.exe57⤵
- Executes dropped EXE
PID:4784 -
C:\Windows\SysWOW64\Dnnoip32.exeC:\Windows\system32\Dnnoip32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\Dbijinfl.exeC:\Windows\system32\Dbijinfl.exe59⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Ejdonq32.exeC:\Windows\system32\Ejdonq32.exe60⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Eangjkkd.exeC:\Windows\system32\Eangjkkd.exe61⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ejglcq32.exeC:\Windows\system32\Ejglcq32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
C:\Windows\SysWOW64\Eelpqi32.exeC:\Windows\system32\Eelpqi32.exe63⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Elfhmc32.exeC:\Windows\system32\Elfhmc32.exe64⤵
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Eacaej32.exeC:\Windows\system32\Eacaej32.exe65⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ehmibdol.exeC:\Windows\system32\Ehmibdol.exe66⤵PID:3520
-
C:\Windows\SysWOW64\Ebbmpmnb.exeC:\Windows\system32\Ebbmpmnb.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Ehofhdli.exeC:\Windows\system32\Ehofhdli.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4468 -
C:\Windows\SysWOW64\Ejnbdp32.exeC:\Windows\system32\Ejnbdp32.exe69⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Eiobbgcl.exeC:\Windows\system32\Eiobbgcl.exe70⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\Fjpoio32.exeC:\Windows\system32\Fjpoio32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Fiaogfai.exeC:\Windows\system32\Fiaogfai.exe72⤵
- System Location Discovery: System Language Discovery
PID:4828 -
C:\Windows\SysWOW64\Falcli32.exeC:\Windows\system32\Falcli32.exe73⤵PID:1216
-
C:\Windows\SysWOW64\Foqdem32.exeC:\Windows\system32\Foqdem32.exe74⤵
- Modifies registry class
PID:4512 -
C:\Windows\SysWOW64\Fifhbf32.exeC:\Windows\system32\Fifhbf32.exe75⤵PID:5060
-
C:\Windows\SysWOW64\Fkgejncb.exeC:\Windows\system32\Fkgejncb.exe76⤵PID:3980
-
C:\Windows\SysWOW64\Fiheheka.exeC:\Windows\system32\Fiheheka.exe77⤵PID:4824
-
C:\Windows\SysWOW64\Flgadake.exeC:\Windows\system32\Flgadake.exe78⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Foenplji.exeC:\Windows\system32\Foenplji.exe79⤵
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Feofmf32.exeC:\Windows\system32\Feofmf32.exe80⤵
- Modifies registry class
PID:5188 -
C:\Windows\SysWOW64\Ghmbib32.exeC:\Windows\system32\Ghmbib32.exe81⤵PID:5232
-
C:\Windows\SysWOW64\Gbcffk32.exeC:\Windows\system32\Gbcffk32.exe82⤵PID:5272
-
C:\Windows\SysWOW64\Geabbfoc.exeC:\Windows\system32\Geabbfoc.exe83⤵PID:5308
-
C:\Windows\SysWOW64\Gojgkl32.exeC:\Windows\system32\Gojgkl32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5356 -
C:\Windows\SysWOW64\Gkqhpmkg.exeC:\Windows\system32\Gkqhpmkg.exe85⤵PID:5404
-
C:\Windows\SysWOW64\Geflne32.exeC:\Windows\system32\Geflne32.exe86⤵PID:5476
-
C:\Windows\SysWOW64\Gkcdfl32.exeC:\Windows\system32\Gkcdfl32.exe87⤵PID:5540
-
C:\Windows\SysWOW64\Gkeakl32.exeC:\Windows\system32\Gkeakl32.exe88⤵PID:5584
-
C:\Windows\SysWOW64\Hkgnalep.exeC:\Windows\system32\Hkgnalep.exe89⤵PID:5628
-
C:\Windows\SysWOW64\Haafnf32.exeC:\Windows\system32\Haafnf32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5672 -
C:\Windows\SysWOW64\Hiinoc32.exeC:\Windows\system32\Hiinoc32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\Hkjjfkcm.exeC:\Windows\system32\Hkjjfkcm.exe92⤵
- Modifies registry class
PID:5760 -
C:\Windows\SysWOW64\Hoefgj32.exeC:\Windows\system32\Hoefgj32.exe93⤵PID:5804
-
C:\Windows\SysWOW64\Hikkdc32.exeC:\Windows\system32\Hikkdc32.exe94⤵PID:5852
-
C:\Windows\SysWOW64\Hhnkppbf.exeC:\Windows\system32\Hhnkppbf.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Hligqnjp.exeC:\Windows\system32\Hligqnjp.exe96⤵PID:5940
-
C:\Windows\SysWOW64\Hccomh32.exeC:\Windows\system32\Hccomh32.exe97⤵PID:5984
-
C:\Windows\SysWOW64\Hahlnefd.exeC:\Windows\system32\Hahlnefd.exe98⤵PID:6028
-
C:\Windows\SysWOW64\Hchihhng.exeC:\Windows\system32\Hchihhng.exe99⤵PID:6072
-
C:\Windows\SysWOW64\Iibaeb32.exeC:\Windows\system32\Iibaeb32.exe100⤵
- Drops file in System32 directory
PID:6116 -
C:\Windows\SysWOW64\Iooimi32.exeC:\Windows\system32\Iooimi32.exe101⤵
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Iameid32.exeC:\Windows\system32\Iameid32.exe102⤵PID:5196
-
C:\Windows\SysWOW64\Ijdnka32.exeC:\Windows\system32\Ijdnka32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5280 -
C:\Windows\SysWOW64\Ikejbjip.exeC:\Windows\system32\Ikejbjip.exe104⤵PID:5352
-
C:\Windows\SysWOW64\Ioafchai.exeC:\Windows\system32\Ioafchai.exe105⤵PID:5460
-
C:\Windows\SysWOW64\Iapbodql.exeC:\Windows\system32\Iapbodql.exe106⤵PID:5572
-
C:\Windows\SysWOW64\Ijgjpaao.exeC:\Windows\system32\Ijgjpaao.exe107⤵PID:5636
-
C:\Windows\SysWOW64\Ihjjln32.exeC:\Windows\system32\Ihjjln32.exe108⤵
- Modifies registry class
PID:5752 -
C:\Windows\SysWOW64\Iocchhof.exeC:\Windows\system32\Iocchhof.exe109⤵
- Modifies registry class
PID:5788 -
C:\Windows\SysWOW64\Icooig32.exeC:\Windows\system32\Icooig32.exe110⤵PID:5908
-
C:\Windows\SysWOW64\Ifnkeb32.exeC:\Windows\system32\Ifnkeb32.exe111⤵PID:5996
-
C:\Windows\SysWOW64\Ihlgan32.exeC:\Windows\system32\Ihlgan32.exe112⤵
- System Location Discovery: System Language Discovery
PID:6136 -
C:\Windows\SysWOW64\Ikjcmi32.exeC:\Windows\system32\Ikjcmi32.exe113⤵PID:5216
-
C:\Windows\SysWOW64\Icakofel.exeC:\Windows\system32\Icakofel.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5412 -
C:\Windows\SysWOW64\Ifphkbep.exeC:\Windows\system32\Ifphkbep.exe115⤵PID:5504
-
C:\Windows\SysWOW64\Ijkdkq32.exeC:\Windows\system32\Ijkdkq32.exe116⤵
- System Location Discovery: System Language Discovery
PID:5708 -
C:\Windows\SysWOW64\Iljpgl32.exeC:\Windows\system32\Iljpgl32.exe117⤵PID:5844
-
C:\Windows\SysWOW64\Iohlcg32.exeC:\Windows\system32\Iohlcg32.exe118⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Jbghpc32.exeC:\Windows\system32\Jbghpc32.exe119⤵
- Modifies registry class
PID:5296 -
C:\Windows\SysWOW64\Jfdafa32.exeC:\Windows\system32\Jfdafa32.exe120⤵PID:5532
-
C:\Windows\SysWOW64\Jomeoggk.exeC:\Windows\system32\Jomeoggk.exe121⤵
- Drops file in System32 directory
PID:5772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-